What Is Azure Private Link ?

What is Azure Private Link? This is a service for securely connecting (linking) to Azure PaaS services outside VNET from inside VNET, and this article is a supplement to the official Microsoft documentation .

Private Link Documentation - Quickstarts, How to guides, and API references

Few words about features

Compared to traditional VNET service endpoints, Azure Private Link offers the following advantages:

• Permission to access only specific resources from VNET, prevent threat of data leakage: Traditional service endpoints have network access to all SQL Databases in the same region as the allowed SQL Database due to permission restrictions by NSG tags. Private Endpoint allows you to access only specific linked resources.
• Remotely accessible on-premises or VNET peered: Private Endpoint is located inside the VNET and has an internal IP address. Even from an on-premises or remote peered VNET, if you can access this internal IP address, you can securely connect to the Azure service linked to the Private Endpoint destination. That is, you can access the Azure PaaS service as if you were accessing a VM located inside the VNET.

Concepts

Private Link service

What is Azure Private Link service?

Of these, existing PaaS services such as SQL Database and Storage do not deploy the Private Link service because the Private Link function is built into the service from the beginning. You need to deploy the Private Link service when you publish your own service as an Azure Private Link service using Standard Loadbalancer.

How to create private link service using Azure PowerShell

Quickstart: Create an Azure private link service using Azure PowerShell

Private endpoint

A Private Endpoint is an endpoint within VNET that connects privately and securely to the Private Link service described above. Use the private IP address in your VNET to effectively bring the service into your VNET.

What is an Azure Private Endpoint?

How to create private endpoint using the Azure portal:

Quickstart - Create a Private Endpoint using the Azure portal

Private DNS

Azure Private DNS manages and resolves custom domain names as a PaaS service without building a custom DNS server within VNET. It can be used for internal name resolution of private endpoints.

What is Azure Private DNS?

Private DNS zones are automatically configured when you enable Private DNS Integration when you create a private endpoint.

DNS configuration for private endpoints:

https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview#dns-configuration

If you use the FQDN to connect to the Private Link service, you must configure DNS to name the IP address assigned to the private endpoint. The existing Azure PaaS service already has a DNS configuration to use for the public endpoint and must be overridden to connect using the private endpoint.